Computer and Information Science

Non-Exam Based Assessment Cover Sheet

CIS 2103 – Principles of Information Assurance, Security & Privacy
Group Project

Course Name CIS2103 - Principles of Info. Assurance, Security & Privacy

Percentage of Final Grade. 25%

Deadline to submit report: 21 Apr 2023

Project Submission Date
Oral Defense: w/c 24 Apr 2023

This assessment will assess the following Course learning outcomes:

CLO1 CLO2 CLO3 CLO4 CLO5

The entire project/case study/poster is designed and developed by me (and my team members).
Proper citation has been used when I (and my team members) used other sources.
No part of this project has been designed, developed or written for me (and my team members) by a third
party.
I have a copy of this project in case the submitted copy is lost or damaged.
None of the music/graphics/animation/video/images used in this project have violated the Copy
Right/Patent/Intellectual Property rights of an individual, company or an Institution.
I have the written permission from people who are featuring in this project.

Student Signature: Date:

Student Signature: Date:

Student Signature: Date:

Student Signature: Date:

For Examiner’s Use Only

Student Report Presentation Total Marks
Marks Allocated 50 50 100

Marks Obtained (Student 1)

Marks Obtained (Student 2)

Marks Obtained (Student 3)

Marks Obtained (Student 4)

 I. Scenario

You are the new information security consultant company for CoinEx, a medium-sized Crypto Coin exchange
company. You have been hired to report on many security issues that the company currently faces and ones that
they anticipate to face as they plan their rapid global expansion.

Part 1: Risk Control and Cost Benefit Analysis (CLO2):

Before hiring you, the company had been plagued with some security incidents. The most serious are listed below.
• Incident #1 – Information Leakage:
- Two years ago, hackers managed to leak plans for a new coin exchange app that the company was
developing. As a result, a competitor was able to produce a rival version of the app and get it to
market first.
- CoinEx estimates that income of their exchange commission, which was expected to be at
$1,000,000 annually, was reduced by at least 40% due to the information leakage.
- Next year, the company is planning to introduce a new app that will be a major upgrade to the
previous version.
- The cost for averting a similar information leak for the new app is not yet known. But a proposed
solution, which will reduce the risk by at least half (50%), is to move to a cloud provider for their
servers. This will cost about $100,000 annually.

• Incident #2 – Virus Attack:

- This year, the company had a virus attack that took half of their customer support help desk offline
for ten days.
- Contracts fulfilled using the system are worth $10,000 every day.
- A similar virus attack is expected to happen every year.
- A proposed solution is to upgrade the antivirus software. This would cost $50,000 in licensing
annually.

• Incident #3 – River Flooding:

- Last year's flooding in the nearby river closed access to the business for one week. Floods happen
almost every twenty years.
- The estimated daily loss of income from on-site operations is estimated at $20,000.
- A proposed solution is to participate in a Community Floods Defenses Scheme. This would cost
$300,000 in contribution annually.

Management has asked you to help them deciding, by reporting on the following:

1. The results of a cost/benefit analysis of the proposed solutions.

(Results of cost/benefit analysis:

For Incident #1 – Information Leakage:
The proposed solution is to move to a cloud provider for their servers, costing $100,000 annually. Assuming the
annual income from the new app is $1,000,000, a 40% reduction in income would result in a loss of $400,000.
Therefore, the cost of the proposed solution is justifiable if it can prevent losses of more than $200,000 annually.)

Cost/Benefit Analysis of Proposed Solutions:

a) Information Leakage Incident:

Proposed Solution: Moving to a cloud provider for their servers at a cost of $100,000 annually.

Costs:

Annual cost of $100,000 for cloud server migration.

Benefits:
Reduce risk of information leakage by at least 50%.
Based on the estimated loss of income of $400,000 (40% of $1,000,000) due to the previous information leakage
incident, the proposed solution's benefit should exceed this amount to make it a viable option.

If we assume that the information leakage incident had been avoided, CoinEx would have made $1,000,000 in annual
income. With the information leakage incident, the income was reduced by 40%, which equates to $600,000 annually.
If the proposed solution reduces the risk by 50%, it would result in an additional annual income of $300,000 (50% of
$600,000).

Therefore, the cost/benefit analysis for this proposed solution would be as follows:

Cost: $100,000 annually

Benefit: $300,000 annually
Net Benefit: $200,000 annually
Based on this analysis, the proposed solution is viable and justifiable.

(For Incident #2 – Virus Attack:

The proposed solution is to upgrade the antivirus software, costing $50,000 annually. Assuming the contracts
fulfilled using the system are worth $10,000 every day, the cost of a 10-day outage due to a virus attack would be
$100,000. Therefore, the cost of the proposed solution is justifiable if it can prevent losses of more than $100,000
annually.)

Virus Attack Incident:

Proposed Solution: Upgrading antivirus software at a cost of $50,000 in licensing annually.

Costs:

Annual cost of $50,000 for upgrading antivirus software.

Benefits:

Minimize the risk of a virus attack.

Based on the estimated daily loss of income of $10,000 due to the virus attack, the proposed solution's benefit should
exceed this amount to make it a viable option.

If we assume that the virus attack had been avoided, CoinEx would have made $10,000 in income per day. With the
virus attack, the income was reduced by 50% for ten days, which equates to a total loss of $50,000.

Therefore, the cost/benefit analysis for this proposed solution would be as follows:

Cost: $50,000 annually

Benefit: $50,000 once per year
Net Benefit: $0 annually
Based on this analysis, the proposed solution is not viable or justifiable since the cost is the same as the benefit.

For Incident #3 – River Flooding:

The proposed solution is to participate in a Community Floods Defenses Scheme, costing $300,000 annually.
Assuming floods happen every twenty years, the expected loss due to a one-week closure is $20,000 x 5 = $100,000.
Therefore, the cost of the proposed solution is justifiable if it can prevent losses of more than $100,000 every twenty
years.

River Flooding Incident:

Proposed Solution: Participating in a Community Floods Defenses Scheme at a cost of $300,000 in contribution
annually.
Costs:

Annual cost of $300,000 for participating in a Community Floods Defenses Scheme.

Benefits:

Reduce the risk of income loss due to flooding.

Based on the estimated daily loss of income of $20,000 due to river flooding, the proposed solution's benefit should
exceed this amount to make it a viable option.

If we assume that the river flooding incident had been avoided, CoinEx would have made $20,000 in income per day.
With the river flooding incident, the income was reduced by 100% for seven days, which equates to a total loss of
$140,000.

Therefore, the cost/benefit analysis for this proposed solution would be as follows:

Cost: $300,000 annually

Benefit: $140,000 once every 20 years (or $7,000 annually)
Net Benefit: -$293,000 annually
Based on this analysis, the proposed solution is not viable or justifiable since the cost far exceeds the benefit.

2. The viability “justification” of the proposed solutions.

Viability justification of the proposed solutions:

The proposed solutions are viable and justifiable based on the cost/benefit analysis. The proposed solution for
Incident #1 – Information Leakage can prevent losses of more than $200,000 annually, which justifies the cost of
$100,000 for moving to a cloud provider. The proposed solution for Incident #2 – Virus Attack can prevent losses of
more than $100,000 annually, which justifies the cost of $50,000 for upgrading the antivirus software. The proposed
solution for Incident #3 – River Flooding can prevent losses of more than $100,000 every twenty years, which
justifies the cost of $300,000 for participating in a Community Floods Defenses Scheme.

Viability "Justification" of Proposed Solutions:

a. Solution for Incident #1 - Information Leakage:

The proposed solution to move to a cloud provider for their servers is a viable option for reducing the risk of
information leakage. The cost-benefit ratio of 2 indicates that the expected benefits outweigh the cost of the proposed
solution. However, it is important to note that the proposed solution does not guarantee complete risk mitigation, and
other measures should also be considered to enhance security, such as implementing access controls, conducting
regular security audits, and staff training.

b. Solution for Incident #2 - Virus Attack:

The proposed solution to upgrade antivirus software is a viable option for reducing the risk of virus attacks. However,
the expected benefit of the proposed solution is not specified, making it difficult to determine its viability. It is
recommended that the company conduct a cost-benefit analysis to determine the expected benefit of the proposed
solution and its viability.

c. Solution for Incident #3 - River Flooding:

The proposed solution to participate in a Community Floods Defenses Scheme is a viable option for reducing the risk of
income loss due to river flooding. However, the expected benefit of the proposed solution is not specified, making it
difficult to determine its viability. It is recommended that the company conduct a cost-benefit analysis to determine the
expected benefit of the proposed solution and its viability. Additionally,

Part 2: Threat Assessment and Countermeasures (CLO1,3):

 The Management of CoinEx is wondering if any of the following threat agents could possibly have played a role in the
previous information leakage incident that has so far cost the company $400,000 in lost sales annually.
- The inept user
- The malicious hacker
- The corporate spy

Management has asked you to help by reporting on the following:

1. The possibility of which might have played a role in the information leakage incident.

The possibility of which threat agent might have played a role in the information leakage incident:
Based on the nature of the incident, it is likely that the threat agent responsible for the information leakage
incident is a corporate spy. Corporate spies are individuals or organizations that gather confidential business
information for the benefit of a competitor or another party. In this case, the competitor who produced a rival
version of CoinEx's app could have had access to the leaked plans through a corporate spy who had infiltrated
CoinEx's system or had gained unauthorized access to sensitive information.
However, it is important to note that the possibility of other threat agents, such as an inept user or a
malicious hacker, cannot be completely ruled out without further investigation. Inept users may accidentally
leak sensitive information, while malicious hackers can intentionally breach the system to gain access to
confidential data.

2. Recommendations of actions they must take to mitigate this risk for the upcoming product.

Recommendations of actions they must take to mitigate this risk for the upcoming product:
To mitigate the risk of information leakage for the upcoming product, CoinEx should consider implementing the
following countermeasures:
a. Implement Access Control: Access control is the process of limiting access to sensitive information to only authorized
individuals. This can be done by implementing access control policies and procedures, such as user authentication,
authorization, and accountability measures.

b. Conduct Security Awareness Training: CoinEx should conduct security awareness training for all employees to ensure
that they are aware of the importance of information security and the risks associated with information leakage. The
training should cover topics such as social engineering attacks, phishing, and password hygiene.

c. Encrypt Sensitive Data: Encryption is the process of converting sensitive data into a code to prevent unauthorized
access. CoinEx should ensure that all sensitive data is encrypted, both in transit and at rest, to prevent unauthorized
access.

d. Conduct Regular Vulnerability Assessments and Penetration Testing: Vulnerability assessments and penetration
testing can identify weaknesses in CoinEx's security measures and provide recommendations for improvement. This
should be conducted regularly to ensure that the system is secure and up-to-date.

e. Implement Incident Response Plan: In case of a security incident, CoinEx should have a well-defined incident
response plan that outlines the steps to be taken in case of a security breach. The plan should be regularly tested and
updated to ensure its effectiveness.
 Part 3: Contingency Planning (CLO2)
Your recent threat modeling activity at CoinEx really opened management's eyes to the need for risk management.
Now the company is concerned that a major incident could severely disrupt the company, or even put it out of
business. The senior management team flew to an executive retreat last week where they were introduced to the
idea of business continuity planning.

They have just returned from the retreat, and have asked you to help them to better understand the Business
Continuity Process. You should report on the following:
1. The business continuity disasters that CoinEx Company might face.
The business continuity disasters that CoinEx Company might face:
CoinEx Company might face several disasters that could affect its business continuity. These disasters could be
natural or man-made, and they could be caused by various factors such as technology failures, physical
damage, power outages, cyber-attacks, or human errors. The following are some of the potential disasters
that CoinEx Company should consider in their business continuity planning:
Natural disasters such as earthquakes, hurricanes, floods, wildfires, or tornadoes.
Man-made disasters such as terrorist attacks, cyber-attacks, power outages, or supply chain disruptions.
Infrastructure failures such as server crashes, data center outages, or network outages.
Human errors such as accidental data deletion, incorrect data entry, or unauthorized access.

2. The critical business processes that CoinEx needs to sustain during a disaster.

The critical business processes that CoinEx needs to sustain during a disaster:
To ensure business continuity during a disaster, CoinEx needs to identify its critical business processes and prioritize
them based on their importance to the company's operations. The critical business processes that CoinEx needs to
sustain during a disaster may include the following:
Payment processing: CoinEx needs to ensure that it can process payments and transactions during a disaster to
maintain its revenue stream.
Customer support: CoinEx needs to maintain customer support to ensure that customers can access their accounts and
resolve any issues they may have.
System monitoring and maintenance: CoinEx needs to ensure that it can monitor and maintain its systems during a
disaster to prevent further damage and ensure a quick recovery.
Security and risk management: CoinEx needs to maintain its security and risk management processes to ensure that its
systems and data are protected during a disaster.

3. The processes that you think CoinEx should recover first.

The processes that CoinEx should recover first:

In a disaster scenario, CoinEx should prioritize its recovery efforts based on the critical business processes that were
identified earlier. CoinEx should recover the following processes first:
Data recovery: CoinEx should prioritize the recovery of its data to ensure that it can resume its operations as soon as
possible.
Infrastructure restoration: CoinEx should prioritize the restoration of its infrastructure, including its servers, networks,
and data centers, to ensure that it can resume its operations.
Business applications: CoinEx should prioritize the restoration of its business applications, including payment processing
and customer support systems, to ensure that it can continue to operate and serve its customers.
Security and risk management: CoinEx should prioritize the restoration of its security and risk management processes
to ensure that its systems and data are protected and secure.

Part 4: Security Outsourcing (CLO5)

 The company is about to launch a new global online exchange. Realizing that it will soon have to support customers
in all time zones, management is considering outsourcing its help desk to provide round-the-clock customer care.
Three competing vendors, two of which are offshore, are being considered for the contract. Each vendor is being
championed by a different manager.

You have been tasked with assisting the vetting process of the prospective vendors. You should report on the
following:
1. The most important factors that should be considered when evaluating the three competing vendors.
The most important factors that should be considered when evaluating the three competing vendors are:
Expertise: The vendor should have a team of highly skilled professionals who are experienced in handling a help desk
for a global online exchange. They should have a deep understanding of the industry, the technology, and the customer
base.
Reliability: The vendor should be reliable in terms of uptime, response time, and resolution time. They should have a
robust infrastructure, redundant systems, and disaster recovery plans in place.
Security: The vendor should have strong security measures in place to protect the company's data and customers' data.
They should follow industry best practices, comply with relevant regulations, and have a clear policy on data privacy
and confidentiality.
Cost: The vendor's pricing should be competitive and transparent. The cost should be aligned with the quality of service
provided and the level of expertise offered.

2. The differences between the evaluation criteria of offshore vendors and local vendors.

The evaluation criteria for offshore vendors may differ from those for local vendors due to the following factors:
Time zone differences: Offshore vendors may have different working hours, which can affect the response time and
availability of the help desk. The evaluation criteria should consider the ability of the vendor to provide 24/7 support.
Cultural differences: Offshore vendors may have different cultural norms and communication styles, which can affect
the quality of service provided. The evaluation criteria should consider the vendor's ability to understand and adapt to
the company's culture and communication style.
Legal and regulatory differences: Offshore vendors may be subject to different laws and regulations, which can affect
the data privacy and security measures in place. The evaluation criteria should consider the vendor's compliance with
relevant regulations and the company's data privacy policies.

Part 5: Personnel and Security Policies (CLO4,5):

Response to the company's new global online exchange has been overwhelming. In order keep up with demand, the
company must quickly expand itself. Management is using this opportunity to implement a more formal
organizational structure at corporate headquarters. New roles are being created in all departments. Some
employees will be promoted into new positions, and some who have not performed as expected will be reassigned,
demoted, or terminated. Many new people will be hired to fill sales, marketing, customer service, accounting, and
management positions. Some staffers who used to enjoy broad privileges (particularly IT personnel) will find their
new duties more focused and restrictive. The company is planning to hire contractors and temporary employees to
help with the work until more permanent employees are hired.

You have been tasked with assisting management in applying personnel security best practices during the
expansion process. You should report on the following:
1. The personnel security practice that the company should be implementing first as it prepares to rapidly
expand.
As the company prepares to rapidly expand, the personnel security practice that should be implemented first is
background screening for all new hires. This should include criminal record checks, employment verification, and
education verification to ensure that all potential hires meet the company's standards and are a good fit for the
organization.
 2. The employee roles, “mentioned in the scenario”, that require the most job position sensitivity profiling.

The employee roles that require the most job position sensitivity profiling include IT personnel, managers, and
accounting staff. These roles typically have access to sensitive information or systems, and therefore require careful
screening and ongoing monitoring.

3. The risk mitigation process that should be considered when reassigning, demoting, or terminating under-
performing staff.

When reassigning, demoting, or terminating under-performing staff, the risk mitigation process should include several
steps. First, the company should document the performance issues and provide clear feedback to the employee. Next,
the employee's access to sensitive systems and information should be immediately revoked. Finally, the company
should have a plan in place to ensure that any remaining work is completed and that the employee's departure does
not cause disruption to critical business processes. In addition, the company should ensure that all remaining
employees are aware of the situation and are reminded of the importance of maintaining the security and
confidentiality of company information.
 Part 6: Education, Training and Awareness (CLO3,4):
After the organization's restructuring, management is concerned that new employees, and even existing employees
in new roles, don't have the adequate security knowledge that they should to keep the organization safe. Up until
now, there hasn't been any formal process for getting people trained on the company's security policies, standards,
and guidelines.

Rather than continue to take a passive approach to people-based security, you've been tasked with planning a
training program for all employees to go through. You should report on the following:
1. The security issues that need to be addressed in this training program.
The security issues that need to be addressed in this training program may include:
Password management: Employees need to be trained on how to create strong passwords, how to store them securely,
and why it's important to keep them confidential.
Social engineering: Employees need to be trained to recognize and resist social engineering attacks such as phishing,
pretexting, and baiting.
Data protection: Employees need to be trained on how to properly handle sensitive data, including how to identify it,
how to classify it, how to store it securely, and how to dispose of it when it's no longer needed.
Physical security: Employees need to be trained on how to maintain physical security, including how to secure their
work area, how to safeguard company equipment, and how to report suspicious activity.
Incident response: Employees need to be trained on how to respond to security incidents, including how to report
them, who to report them to, and what actions to take to minimize the impact.

2. The objectives and expected outcomes for the training.

The objectives and expected outcomes for the training should include:
Increased awareness and understanding of security issues and risks
Improved security behavior and practices
Reduced risk of security incidents and breaches
Improved incident response and recovery times

3. The key points that your training should include for general staff.

The key points that the training should include for general staff may include:
The importance of security and how it relates to the company's success
Basic security principles and concepts
The most common security risks and threats
How to recognize and report security incidents
Best practices for password management, data protection, and physical security

4. The training program for different managerial job roles/levels (e.g., board of directors, management, IT staff,
security personnel, etc.)?

The training program for different managerial job roles/levels may include:
Board of Directors: This group may require a high-level overview of security risks and governance, as well as the
regulatory and compliance landscape.
Management: This group may require training on how to implement security policies and procedures, how to manage
security incidents, and how to communicate security issues to their teams.
IT staff: This group may require technical training on security tools and technologies, as well as training on how to
manage security risks related to system administration and network management.
Security personnel: This group may require advanced training on security concepts and practices, incident response,
risk assessment, and security auditing.
 II. Project Tasks and Deliverables
1. Group Report
This is a group effort and is worth 50% of the project grade.

Prepare a professional report which should address all the reporting requirements associated with each of the Parts
(1-6) of the given scenario. Refer to the marking rubric for detail of the expectations.

2. Individual Reflection and Presentation

This is an individual effort and is worth 50% of the project grade.

Students are required to present their project and be ready to defend it. Each group member is expected to
demonstrate knowledge of all the sections of the report.

The following are some points you need to take into consideration while working on the second part of this project:
First: The Final Presentation
- The presentation will start with a general discussion about what you did during working on your group
project.
- A PowerPoint presentation or any other presentation tool can be used to prepare the slides.
- The presentation slides should include a reference to each one of the required tasks.

Second: The Question & Answer Session (Oral Defense)

- The presentation will be followed by a question/answer session in which each one of the team
members will be asked to answer some questions related to what they did in the project.
- The question/answer session is an individual mark. The way students answer questions will be
evaluated individually.
Project Evaluation
1 – Group Report - Rubric for Marking the Report
Insufficient Emerging (60-69%) Satisfactory (70-76%)
Criteria Absent Competent (77-86%) (B-/B/B+) Mastering (87-100%) (A-/A)
(1-59%) (F) (D/D+/C-) (C/C+)

Possible threat agents

Possible threat Possible threat agents are are identified and are
Possible threat agents are identified and are justified to justified to full detail.
Content agents are identified and are full detail. Consideration of Consideration of the
CLO1 Deliverable: Discuss the submitted identified and are justified to the scenario is reasonably whole scenario is fully
need to secure information as Content is but does somewhat justified. reasonable detail. correlated. Mitigations are correlated. Mitigations
an organizational asset [10 %]: none not Mitigations are Mitigations are identified and are justified to are identified and are
existent. answer identified and are identified and are full detail. Consideration of justified to full detail.
Part 2 (Partial [10 Marks])
the somewhat justified. justified to the scenario is reasonably Consideration of the
question. reasonable detail. correlated. whole scenario is fully
correlated.

Incidents Risk and CBA

Incidents Risk and calculations are correct
Incidents Risk and Incidents Risk and CBA
CLO2 Deliverable: Discuss the CBA calculations are and explained to a full
CBA calculations are calculations are correct and
role of security risk Content correct and extend. Consideration of
correct and explained to a full extend.
submitted explained to a the whole scenario is
management and contingency explained to a full Consideration of the whole
Content is but does reasonable extend. fully correlated.
planning in safeguarding extend. scenario is reasonably
none not Consideration of Consideration of
information assets [40 %]: Consideration of correlated. Consideration of
existent. answer effective effective contingency
effective effective contingency
Parts 1 [20 Marks] and the contingency planning is correct and
contingency planning is correct and fully
question planning is correct fully justified in relation
Part 3 [20 Marks] planning is correct justified in relation to
and reasonably to associated risks of
and fully justified. associated risks of Part1.
justified. Part1 and the whole
scenario.
 Insufficient Emerging (60-69%) Satisfactory (70-76%)
Criteria Absent Competent (77-86%) (B-/B/B+) Mastering (87-100%) (A-/A)
(1-59%) (F) (D/D+/C-) (C/C+)

General threat Specific threat Whole scenario detailed

CLO3 Deliverable: Examine categories and categories and specification of threat
Content Detailed specification of
different types of security possible mitigations possible mitigations categories and possible
submitted threat categories and possible
threats and corresponding are identified and are identified and mitigations are identified
Content is but does mitigations are identified and
are somewhat are somewhat and are somewhat
countermeasures [10 %]: none not are somewhat justified.
justified. General justified. Specific justified. Whole scenario
existent. answer Detailed specification of
Part 2 (Partial [5 Marks]) and counter measures counter measures detailed specification of
the counter measures is identified
are identified and are identified and counter measures is
Part 6 (Partial [5 Marks]) question. and are somewhat justified.
are somewhat are somewhat identified and are
justified. justified. somewhat justified.

CLO4 Deliverable: Describe the Details related to

legal and public relations Content Details related to personnel security
Details related to Details related to personnel
implications of security and submitted personnel security measures and
personnel security security measures and
privacy issues [20 %]: Content is but does measures and implication on operation
measures and implication on operation are
none not implication on are provided and fully
implication on provided and fully justified
Part 5 (Partial [10 Marks]) and existent. answer operation are justified with enough and
operation are with enough and accurate
Part 6 (Partial [10 Marks]) the provided and fully accurate detail and fully
provided. detail.
question. justified corelated with the whole
scenario.

CLO5 Deliverable: Apply major Measures related to

security outsourcing have
techniques, approaches and Content Measures related to Measures related to security
been researched and
tools to discover system submitted Measures related to security outsourcing outsourcing have been
explained in relation to
Content is but does security outsourcing have been researched and explained in
vulnerabilities and protect the given scenario with
none not have been researched and relation to the given scenario
information assets [20 %]: clear emphasis on the
existent. answer researched and explained in with clear emphasis on the
importance of the vetting
the stated. relation to the given importance of the vetting
Part 4 (Partial [15 Marks]) and process and full
question. scenario. process.
Part 5 (Partial [5 Marks]) consideration of the
whole given scenario.
 2 – Rubric for Marking Oral Defense
Insufficient Emerging (60-69%) Satisfactory (70-76%) Competent (77-86%) Mastering (87-100%)
Criteria Absent
(1-59%) (F) (D/D+/C-) (C/C+) (B-/B/B+) (A-/A)

Demonstrates some Demonstrates extensive

knowledge of the Demonstrates good knowledge of the topic by
Follow-up Unable to Responds Demonstrates excellent
topic by responding knowledge of the topic responding confidently,
Questions and demonstrate any inaccurately and knowledge of the topic by
to some questions by responding accurately precisely and appropriately
knowledge of inappropriately responding with accurate
Discussion and making mistakes and appropriately to to questions.
the topic. to questions. detail to almost all questions.
in answering other almost all questions.
Questions.